cubicweb: cubicweb/server/test/unittest_security.py@b48020a80dc3 (annotated)

11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	1	# copyright 2003-2016 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	2	# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	3	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	4	# This file is part of CubicWeb.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	5	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	6	# CubicWeb is free software: you can redistribute it and/or modify it under the
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	7	# terms of the GNU Lesser General Public License as published by the Free
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	8	# Software Foundation, either version 2.1 of the License, or (at your option)
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	9	# any later version.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	10	#
5424 8ecbcbff9777 replace logilab-common by CubicWeb in disclaimer Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5421 diff changeset	11	# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	12	# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	13	# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	14	# details.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	15	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	16	# You should have received a copy of the GNU Lesser General Public License along
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	17	# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
5886 00a78298d30d cleanups Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	18	"""functional tests for server'security"""
00a78298d30d cleanups Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	19
10609 e2d8e81bfe68 [py3k] import range using six.moves Rémi Cardona <remi.cardona@logilab.fr> parents: 10600 diff changeset	20	from six.moves import range
e2d8e81bfe68 [py3k] import range using six.moves Rémi Cardona <remi.cardona@logilab.fr> parents: 10600 diff changeset	21
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	22	from logilab.common.testlib import unittest_main
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	23
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	24	from cubicweb.devtools.testlib import CubicWebTC
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	25	from cubicweb import Unauthorized, ValidationError, QueryError, Binary
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	26	from cubicweb.schema import ERQLExpression
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	27	from cubicweb.server.querier import get_local_checks, check_relations_read_access
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	28	from cubicweb.server.utils import _CRYPTO_CTX
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	29
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	30
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	31	class BaseSecurityTC(CubicWebTC):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	32
7072 bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	33	def setup_database(self):
bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	34	super(BaseSecurityTC, self).setup_database()
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	35	with self.admin_access.client_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	36	self.create_user(cnx, u'iaminusersgrouponly')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	37	hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt')
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	38	self.create_user(cnx, u'oldpassword', password=Binary(hash.encode('ascii')))
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	39
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	40
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	41	class LowLevelSecurityFunctionTC(BaseSecurityTC):
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	42
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	43	def test_check_relation_read_access(self):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	44	rql = u'Personne U WHERE U nom "managers"'
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	45	rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	46	nom = self.repo.schema['Personne'].rdef('nom')
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	47	with self.temporary_permissions((nom, {'read': ('users', 'managers')})):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	48	with self.admin_access.repo_cnx() as cnx:
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	49	self.repo.vreg.solutions(cnx, rqlst, None)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	50	check_relations_read_access(cnx, rqlst, {})
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	51	with self.new_access(u'anon').repo_cnx() as cnx:
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	52	self.assertRaises(Unauthorized,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	53	check_relations_read_access,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	54	cnx, rqlst, {})
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	55	self.assertRaises(Unauthorized, cnx.execute, rql)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	56
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	57	def test_get_local_checks(self):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	58	rql = u'Personne U WHERE U nom "managers"'
3252 c0e10da6f1cf tests update Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 diff changeset	59	rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	60	with self.temporary_permissions(Personne={'read': ('users', 'managers')}):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	61	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	62	self.repo.vreg.solutions(cnx, rqlst, None)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	63	solution = rqlst.solutions[0]
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	64	localchecks = get_local_checks(cnx, rqlst, solution)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	65	self.assertEqual({}, localchecks)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	66	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	67	self.assertRaises(Unauthorized,
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	68	get_local_checks,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	69	cnx, rqlst, solution)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	70	self.assertRaises(Unauthorized, cnx.execute, rql)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	71
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	72	def test_upassword_not_selectable(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	73	with self.admin_access.repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	74	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	75	cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	76	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	77	self.assertRaises(Unauthorized,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	78	cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	79
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	80	def test_update_password(self):
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	81	"""Ensure that if a user's password is stored with a deprecated hash,
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	82	it will be updated on next login
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	83	"""
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	84	with self.repo.internal_cnx() as cnx:
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	85	oldhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	86	"WHERE cw_login = 'oldpassword'").fetchone()[0]
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	87	oldhash = self.repo.system_source.binary_to_str(oldhash)
11195 5de859b95988 [session, repository] deprecate repo.connect and move .close reponsibility to session object Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 11057 diff changeset	88	session = self.repo.new_session('oldpassword', password='oldpassword')
5de859b95988 [session, repository] deprecate repo.connect and move .close reponsibility to session object Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 11057 diff changeset	89	session.close()
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	90	newhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	91	"WHERE cw_login = 'oldpassword'").fetchone()[0]
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	92	newhash = self.repo.system_source.binary_to_str(newhash)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	93	self.assertNotEqual(oldhash, newhash)
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	94	self.assertTrue(newhash.startswith(b'$6$'))
11195 5de859b95988 [session, repository] deprecate repo.connect and move .close reponsibility to session object Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 11057 diff changeset	95	session = self.repo.new_session('oldpassword', password='oldpassword')
5de859b95988 [session, repository] deprecate repo.connect and move .close reponsibility to session object Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 11057 diff changeset	96	session.close()
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	97	newnewhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser WHERE "
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	98	"cw_login = 'oldpassword'").fetchone()[0]
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	99	newnewhash = self.repo.system_source.binary_to_str(newnewhash)
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	100	self.assertEqual(newhash, newnewhash)
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	101
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	102
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	103	class SecurityRewritingTC(BaseSecurityTC):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	104	def hijack_source_execute(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	105	def syntax_tree_search(args, *kwargs):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	106	self.query = (args, kwargs)
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	107	return []
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	108	self.repo.system_source.syntax_tree_search = syntax_tree_search
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	109
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	110	def tearDown(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	111	self.repo.system_source.__dict__.pop('syntax_tree_search', None)
7072 bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	112	super(SecurityRewritingTC, self).tearDown()
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	113
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	114	def test_not_relation_read_security(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	115	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
11699 b48020a80dc3 Store user groups and properties as session data Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11348 diff changeset	116	cnx.user.groups # fill the cache before screwing syntax_tree_search
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	117	self.hijack_source_execute()
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	118	cnx.execute('Any U WHERE NOT A todo_by U, A is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	119	self.assertEqual(self.query[0][1].as_string(),
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	120	'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	121	cnx.execute('Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	122	self.assertEqual(self.query[0][1].as_string(),
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	123	'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	124
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	125
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	126	class SecurityTC(BaseSecurityTC):
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	127
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	128	def setUp(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	129	super(SecurityTC, self).setUp()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	130	# implicitly test manager can add some entities
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	131	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	132	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	133	cnx.execute("INSERT Societe X: X nom 'logilab'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	134	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	135	cnx.execute('INSERT CWGroup X: X name "staff"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	136	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	137
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	138	def test_insert_security(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	139	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	140	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	141	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	142	self.assertEqual(cnx.execute('Personne X').rowcount, 1)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	143
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	144	def test_insert_security_2(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	145	with self.new_access(u'anon').repo_cnx() as cnx:
10158 efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	146	cnx.execute("INSERT Affaire X")
efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	147	self.assertRaises(Unauthorized, cnx.commit)
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	148	# anon has no read permission on Affaire entities, so
85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	149	# rowcount == 0
10158 efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	150	self.assertEqual(cnx.execute('Affaire X').rowcount, 0)
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	151
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	152	def test_insert_rql_permission(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	153	# test user can only add une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	154	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	155	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	156	self.assertRaises(Unauthorized, cnx.commit)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	157	# test nothing has actually been inserted
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	158	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	159	self.assertEqual(cnx.execute('Affaire X').rowcount, 1)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	160	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	161	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	162	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	163	cnx.execute("SET A concerne S WHERE A sujet 'cool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	164	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	165
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	166	def test_update_security_1(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	167	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	168	# local security check
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	169	cnx.execute( "SET X nom 'bidulechouette' WHERE X is Personne")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	170	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	171	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	172	self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	173
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	174	def test_update_security_2(self):
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	175	with self.temporary_permissions(Personne={'read': ('users', 'managers'),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	176	'add': ('guests', 'users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	177	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	178	self.assertRaises(Unauthorized, cnx.execute,
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	179	"SET X nom 'bidulechouette' WHERE X is Personne")
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	180	# test nothing has actually been inserted
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	181	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	182	self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	183
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	184	def test_update_security_3(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	185	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	186	cnx.execute("INSERT Personne X: X nom 'biduuule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	187	cnx.execute("INSERT Societe X: X nom 'looogilab'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	188	cnx.execute("SET X travaille S WHERE X nom 'biduuule', S nom 'looogilab'")
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	189
10114 6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	190	def test_insert_immutable_attribute_update(self):
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	191	with self.admin_access.repo_cnx() as cnx:
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	192	cnx.create_entity('Old', name=u'Babar')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	193	cnx.commit()
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	194	# this should be equivalent
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	195	o = cnx.create_entity('Old')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	196	o.cw_set(name=u'Celeste')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	197	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	198
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	199	def test_update_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	200	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	201	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	202	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	203	# test user can only update une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	204	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	205	cnx.execute("SET X sujet 'pascool' WHERE X is Affaire")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	206	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	207	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	208	# to actually get Unauthorized exception, try to update an entity we can read
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	209	cnx.execute("SET X nom 'toto' WHERE X is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	210	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	211	cnx.execute("INSERT Affaire X: X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	212	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	213	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	214	cnx.execute("SET X sujet 'habahsicestcool' WHERE X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	215	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	216
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	217	def test_delete_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	218	# FIXME: sample below fails because we don't detect "owner" can't delete
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	219	# user anyway, and since no user with login == 'bidule' exists, no
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	220	# exception is raised
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	221	#user._groups = {'guests':1}
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	222	#self.assertRaises(Unauthorized,
1398 5fe84a5f7035 rename internal entity types to have CW prefix instead of E sylvain.thenault@logilab.fr parents: 389 diff changeset	223	# self.o.execute, user, "DELETE CWUser X WHERE X login 'bidule'")
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	224	# check local security
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	225	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	226	self.assertRaises(Unauthorized, cnx.execute, "DELETE CWGroup Y WHERE Y name 'staff'")
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	227
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	228	def test_delete_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	229	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	230	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	231	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	232	# test user can only dele une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	233	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	234	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	235	cnx.execute("DELETE Affaire X")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	236	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	237	# to actually get Unauthorized exception, try to delete an entity we can read
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	238	self.assertRaises(Unauthorized, cnx.execute, "DELETE Societe S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	239	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	240	cnx.rollback()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	241	cnx.execute("INSERT Affaire X: X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	242	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	243	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	244	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	245	## # this one should fail since it will try to delete two affaires, one authorized
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	246	## # and the other not
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	247	## self.assertRaises(Unauthorized, cnx.execute, "DELETE Affaire X")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	248	cnx.execute("DELETE Affaire X WHERE X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	249	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	250
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	251	def test_insert_relation_rql_permission(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	252	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	253	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	254	# should raise Unauthorized since user don't own S though this won't
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	255	# actually do anything since the selection query won't return
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	256	# anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	257	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	258	# to actually get Unauthorized exception, try to insert a relation
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	259	# were we can read both entities
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	260	rset = cnx.execute('Personne P')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	261	self.assertEqual(len(rset), 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	262	ent = rset.get_entity(0, 0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	263	self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	264	self.assertRaises(Unauthorized, ent.cw_check_perm, 'update')
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	265	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	266	cnx.execute, "SET P travaille S WHERE P is Personne, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	267	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	268	cnx.rollback()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	269	# test nothing has actually been inserted:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	270	self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	271	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	272	cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	273	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	274
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	275	def test_delete_relation_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	276	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	277	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	278	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	279	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	280	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	281	cnx.execute("DELETE A concerne S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	282	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	283	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	284	# to actually get Unauthorized exception, try to delete a relation we can read
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	285	eid = cnx.execute("INSERT Affaire X: X sujet 'pascool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	286	cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	287	{'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	288	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	289	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	290	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	291	self.assertRaises(Unauthorized, cnx.execute, "DELETE A concerne S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	292	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	293	cnx.rollback()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	294	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	295	cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	296	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	297	cnx.execute("DELETE A concerne S WHERE S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	298	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	299
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	300
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	301	def test_user_can_change_its_upassword(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	302	with self.admin_access.repo_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	303	ueid = self.create_user(cnx, u'user').eid
131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	304	with self.new_access(u'user').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	305	cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	306	{'x': ueid, 'passwd': b'newpwd'})
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	307	cnx.commit()
11195 5de859b95988 [session, repository] deprecate repo.connect and move .close reponsibility to session object Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 11057 diff changeset	308	session = self.repo.new_session('user', password='newpwd')
5de859b95988 [session, repository] deprecate repo.connect and move .close reponsibility to session object Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 11057 diff changeset	309	session.close()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	310
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	311	def test_user_cant_change_other_upassword(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	312	with self.admin_access.repo_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	313	ueid = self.create_user(cnx, u'otheruser').eid
131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	314	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	315	cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	316	{'x': ueid, 'passwd': b'newpwd'})
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	317	self.assertRaises(Unauthorized, cnx.commit)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	318
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	319	# read security test
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	320
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	321	def test_read_base(self):
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	322	with self.temporary_permissions(Personne={'read': ('users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	323	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	324	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	325	cnx.execute, 'Personne U where U nom "managers"')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	326
321 247947250382 fix security bug w/ query using 'NOT X eid 123' Sylvain Thenault <sylvain.thenault@logilab.fr> parents: 0 diff changeset	327	def test_read_erqlexpr_base(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	328	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	329	eid = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	330	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	331	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	332	rset = cnx.execute('Affaire X')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	333	self.assertEqual(rset.rows, [])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	334	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	335	# cache test
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	336	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	337	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	338	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	339	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	340	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	341	rset = cnx.execute('Any X WHERE X eid %(x)s', {'x': aff2})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	342	self.assertEqual(rset.rows, [[aff2]])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	343	# more cache test w/ NOT eid
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	344	rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': eid})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	345	self.assertEqual(rset.rows, [[aff2]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	346	rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': aff2})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	347	self.assertEqual(rset.rows, [])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	348	# test can't update an attribute of an entity that can't be readen
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	349	self.assertRaises(Unauthorized, cnx.execute,
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	350	'SET X sujet "hacked" WHERE X eid %(x)s', {'x': eid})
4765 c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	351
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	352
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	353	def test_entity_created_in_transaction(self):
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	354	affschema = self.schema['Affaire']
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	355	with self.temporary_permissions(Affaire={'read': affschema.permissions['add']}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	356	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	357	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	358	# entity created in transaction are readable by eid
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	359	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	360	# XXX would be nice if it worked
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	361	rset = cnx.execute("Affaire X WHERE X sujet 'cool'")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	362	self.assertEqual(len(rset), 0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	363	self.assertRaises(Unauthorized, cnx.commit)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	364
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	365	def test_read_erqlexpr_has_text1(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	366	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	367	aff1 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	368	card1 = cnx.execute("INSERT Card X: X title 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	369	cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	370	{'x': card1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	371	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	372	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	373	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	374	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	375	cnx.execute("SET A concerne S WHERE A eid %(a)s, S eid %(s)s", {'a': aff2, 's': soc1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	376	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	377	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x':aff1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	378	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	379	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':card1}))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	380	rset = cnx.execute("Any X WHERE X has_text 'cool'")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	381	self.assertEqual(sorted(eid for eid, in rset.rows),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	382	[card1, aff2])
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	383
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	384	def test_read_erqlexpr_has_text2(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	385	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	386	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	387	cnx.execute("INSERT Societe X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	388	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	389	with self.temporary_permissions(Personne={'read': ('managers',)}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	390	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	391	rset = cnx.execute('Any N WHERE N has_text "bidule"')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	392	self.assertEqual(len(rset.rows), 1, rset.rows)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	393	rset = cnx.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	394	self.assertEqual(len(rset.rows), 1, rset.rows)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	395
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	396	def test_read_erqlexpr_optional_rel(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	397	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	398	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	399	cnx.execute("INSERT Societe X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	400	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	401	with self.temporary_permissions(Personne={'read': ('managers',)}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	402	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	403	rset = cnx.execute('Any N,U WHERE N has_text "bidule", N owned_by U?')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	404	self.assertEqual(len(rset.rows), 1, rset.rows)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	405
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	406	def test_read_erqlexpr_aggregat(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	407	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	408	cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	409	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	410	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	411	rset = cnx.execute('Any COUNT(X) WHERE X is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	412	self.assertEqual(rset.rows, [[0]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	413	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	414	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	415	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	416	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	417	rset = cnx.execute('Any COUNT(X) WHERE X is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	418	self.assertEqual(rset.rows, [[1]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	419	rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	420	values = dict(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	421	self.assertEqual(values['Affaire'], 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	422	self.assertEqual(values['Societe'], 2)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	423	rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN '
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	424	'WITH X BEING ((Affaire X) UNION (Societe X))')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	425	self.assertEqual(len(rset), 2)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	426	values = dict(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	427	self.assertEqual(values['Affaire'], 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	428	self.assertEqual(values['Societe'], 2)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	429
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	430
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	431	def test_attribute_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	432	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	433	# only managers should be able to edit the 'test' attribute of Personne entities
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	434	eid = cnx.execute("INSERT Personne X: X nom 'bidule', "
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	435	"X web 'http://www.debian.org', X test TRUE")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	436	cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	437	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	438	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	439	cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	440	"X web 'http://www.debian.org', X test TRUE")
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	441	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	442	cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	443	"X web 'http://www.debian.org', X test FALSE")
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	444	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	445	eid = cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	446	"X web 'http://www.debian.org'")[0][0]
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	447	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	448	cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	449	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	450	cnx.execute('SET X test TRUE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	451	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	452	cnx.execute('SET X web "http://www.logilab.org" WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	453	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	454	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	455	cnx.execute('INSERT Frozable F: F name "Foo"')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	456	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	457	cnx.execute('SET F name "Bar" WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	458	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	459	cnx.execute('SET F name "BaBar" WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	460	cnx.execute('SET F frozen True WHERE F is Frozable')
9981 7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	461	with self.assertRaises(Unauthorized):
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	462	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	463	cnx.rollback()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	464	cnx.execute('SET F frozen True WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	465	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	466	cnx.execute('SET F name "Bar" WHERE F is Frozable')
9981 7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	467	with self.assertRaises(Unauthorized):
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	468	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	469
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	470	def test_attribute_security_rqlexpr(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	471	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	472	# Note.para attribute editable by managers or if the note is in "todo" state
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	473	note = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	474	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	475	note.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	476	cnx.execute('SET X para "truc" WHERE X eid %(x)s', {'x': note.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	477	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	478	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	479	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	480	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	481	note2 = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	482	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	483	note2.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	484	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	485	self.assertEqual(len(cnx.execute('Any X WHERE X in_state S, S name "todo", X eid %(x)s',
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	486	{'x': note2.eid})),
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	487	0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	488	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	489	self.assertRaises(Unauthorized, cnx.commit)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	490	note2.cw_adapt_to('IWorkflowable').fire_transition('redoit')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	491	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	492	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	493	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	494	cnx.execute("INSERT Note X: X something 'A'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	495	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	496	cnx.execute("INSERT Note X: X para 'zogzog', X something 'A'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	497	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	498	note = cnx.execute("INSERT Note X").get_entity(0,0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	499	cnx.commit()
9395 96dba2efd16d [hooks/security] provide attribute "add" permission Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8694 diff changeset	500	note.cw_set(something=u'B')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	501	cnx.commit()
9395 96dba2efd16d [hooks/security] provide attribute "add" permission Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8694 diff changeset	502	note.cw_set(something=None, para=u'zogzog')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	503	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	504
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	505	def test_attribute_read_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	506	# anon not allowed to see users'login, but they can see users
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	507	login_rdef = self.repo.schema['CWUser'].rdef('login')
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	508	with self.temporary_permissions((login_rdef, {'read': ('users', 'managers')}),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	509	CWUser={'read': ('guests', 'users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	510	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	511	rset = cnx.execute('CWUser X')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	512	self.assertTrue(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	513	x = rset.get_entity(0, 0)
10463 9add9b7f9df7 [server/test] fix random error in unittest_security Julien Cristau <julien.cristau@logilab.fr> parents: 10249 diff changeset	514	x.complete()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	515	self.assertEqual(x.login, None)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	516	self.assertTrue(x.creation_date)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	517	x = rset.get_entity(1, 0)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	518	x.complete()
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	519	self.assertEqual(x.login, None)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	520	self.assertTrue(x.creation_date)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	521
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	522	def test_yams_inheritance_and_security_bug(self):
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	523	with self.temporary_permissions(Division={'read': ('managers',
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	524	ERQLExpression('X owned_by U'))}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	525	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	526	querier = cnx.repo.querier
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	527	rqlst = querier.parse('Any X WHERE X is_instance_of Societe')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	528	querier.solutions(cnx, rqlst, {})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	529	querier._annotate(rqlst)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	530	plan = querier.plan_factory(rqlst, {}, cnx)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	531	plan.preprocess(rqlst)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	532	self.assertEqual(
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	533	rqlst.as_string(),
10249 e38b8d37c5d8 [rqlrewrite] sort possible types when turning is_instance_of into is Julien Cristau <julien.cristau@logilab.fr> parents: 10248 diff changeset	534	'(Any X WHERE X is IN(Societe, SubDivision)) UNION '
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	535	'(Any X WHERE X is Division, EXISTS(X owned_by %(B)s))')
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	536
1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	537
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	538	class BaseSchemaSecurityTC(BaseSecurityTC):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	539	"""tests related to the base schema permission configuration"""
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	540
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	541	def test_user_can_delete_object_he_created(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	542	# even if some other user have changed object'state
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	543	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	544	# due to security test, affaire has to concerne a societe the user owns
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	545	cnx.execute('INSERT Societe X: X nom "ARCTIA"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	546	cnx.execute('INSERT Affaire X: X ref "ARCT01", X concerne S WHERE S nom "ARCTIA"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	547	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	548	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	549	affaire = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	550	affaire.cw_adapt_to('IWorkflowable').fire_transition('abort')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	551	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	552	self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01"')),
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	553	1)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	554	self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",'
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	555	'X owned_by U, U login "admin"')),
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	556	1) # TrInfo at the above state change
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	557	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	558	cnx.execute('DELETE Affaire X WHERE X ref "ARCT01"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	559	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	560	self.assertFalse(cnx.execute('Affaire X'))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	561
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	562	def test_users_and_groups_non_readable_by_guests(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	563	with self.repo.internal_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	564	admineid = cnx.execute('CWUser U WHERE U login "admin"').rows[0][0]
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	565	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	566	anon = cnx.user
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	567	# anonymous user can only read itself
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	568	rset = cnx.execute('Any L WHERE X owned_by U, U login L')
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	569	self.assertEqual([['anon']], rset.rows)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	570	rset = cnx.execute('CWUser X')
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	571	self.assertEqual([[anon.eid]], rset.rows)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	572	# anonymous user can read groups (necessary to check allowed transitions for instance)
10600 180aa08cad48 [tests] Replace use of deprecated TestCase.assert_ Rémi Cardona <remi.cardona@logilab.fr> parents: 10463 diff changeset	573	self.assertTrue(cnx.execute('CWGroup X'))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	574	# should only be able to read the anonymous user, not another one
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	575	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	576	cnx.execute, 'CWUser X WHERE X eid %(x)s', {'x': admineid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	577	rset = cnx.execute('CWUser X WHERE X eid %(x)s', {'x': anon.eid})
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	578	self.assertEqual([[anon.eid]], rset.rows)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	579	# but can't modify it
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	580	cnx.execute('SET X login "toto" WHERE X eid %(x)s', {'x': anon.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	581	self.assertRaises(Unauthorized, cnx.commit)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	582
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	583	def test_in_group_relation(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	584	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	585	rql = u"DELETE U in_group G WHERE U login 'admin'"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	586	self.assertRaises(Unauthorized, cnx.execute, rql)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	587	rql = u"SET U in_group G WHERE U login 'admin', G name 'users'"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	588	self.assertRaises(Unauthorized, cnx.execute, rql)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	589
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	590	def test_owned_by(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	591	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	592	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	593	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	594	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	595	rql = u"SET X owned_by U WHERE U login 'iaminusersgrouponly', X is Personne"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	596	self.assertRaises(Unauthorized, cnx.execute, rql)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	597
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	598	def test_bookmarked_by_guests_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	599	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	600	beid1 = cnx.execute('INSERT Bookmark B: B path "?vid=manage", B title "manage"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	601	beid2 = cnx.execute('INSERT Bookmark B: B path "?vid=index", B title "index", '
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	602	'B bookmarked_by U WHERE U login "anon"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	603	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	604	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	605	anoneid = cnx.user.eid
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	606	self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	607	'B bookmarked_by U, U eid %s' % anoneid).rows,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	608	[['index', '?vid=index']])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	609	self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	610	'B bookmarked_by U, U eid %(x)s', {'x': anoneid}).rows,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	611	[['index', '?vid=index']])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	612	# can read others bookmarks as well
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	613	self.assertEqual(cnx.execute('Any B where B is Bookmark, NOT B bookmarked_by U').rows,
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	614	[[beid1]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	615	self.assertRaises(Unauthorized, cnx.execute,'DELETE B bookmarked_by U')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	616	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	617	cnx.execute, 'SET B bookmarked_by U WHERE U eid %(x)s, B eid %(b)s',
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	618	{'x': anoneid, 'b': beid1})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	619
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	620	def test_ambigous_ordered(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	621	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	622	names = [t for t, in cnx.execute('Any N ORDERBY lower(N) WHERE X name N')]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	623	self.assertEqual(names, sorted(names, key=lambda x: x.lower()))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	624
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	625	def test_in_state_without_update_perm(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	626	"""check a user change in_state without having update permission on the
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	627	subject
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	628	"""
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	629	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	630	eid = cnx.execute('INSERT Affaire X: X ref "ARCT01"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	631	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	632	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	633	# needed to remove rql expr granting update perm to the user
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	634	affschema = self.schema['Affaire']
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	635	with self.temporary_permissions(Affaire={'update': affschema.get_groups('update'),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	636	'read': ('users',)}):
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	637	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	638	affschema.check_perm, cnx, 'update', eid=eid)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	639	aff = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	640	aff.cw_adapt_to('IWorkflowable').fire_transition('abort')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	641	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	642	# though changing a user state (even logged user) is reserved to managers
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	643	user = cnx.user
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	644	# XXX wether it should raise Unauthorized or ValidationError is not clear
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	645	# the best would probably ValidationError if the transition doesn't exist
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	646	# from the current state but Unauthorized if it exists but user can't pass it
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	647	self.assertRaises(ValidationError,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	648	user.cw_adapt_to('IWorkflowable').fire_transition, 'deactivate')
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	649
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	650	def test_trinfo_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	651	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	652	aff = cnx.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	653	iworkflowable = aff.cw_adapt_to('IWorkflowable')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	654	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	655	iworkflowable.fire_transition('abort')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	656	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	657	# can change tr info comment
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	658	cnx.execute('SET TI comment %(c)s WHERE TI wf_info_for X, X ref "ARCT01"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	659	{'c': u'bouh!'})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	660	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	661	aff.cw_clear_relation_cache('wf_info_for', 'object')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	662	trinfo = iworkflowable.latest_trinfo()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	663	self.assertEqual(trinfo.comment, 'bouh!')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	664	# but not from_state/to_state
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	665	aff.cw_clear_relation_cache('wf_info_for', role='object')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	666	self.assertRaises(Unauthorized, cnx.execute,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	667	'SET TI from_state S WHERE TI eid %(ti)s, S name "ben non"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	668	{'ti': trinfo.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	669	self.assertRaises(Unauthorized, cnx.execute,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	670	'SET TI to_state S WHERE TI eid %(ti)s, S name "pitetre"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	671	{'ti': trinfo.eid})
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	672
8161 6f4229eb8178 [test] fix test broken by 8158:2ee254e74382 and add a test for that change Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8075 diff changeset	673	def test_emailaddress_security(self):
8649 8fbb2f65721e [test] precheck initial condition Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	674	# check for prexisting email adresse
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	675	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	676	if cnx.execute('Any X WHERE X is EmailAddress'):
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	677	rset = cnx.execute('Any X, U WHERE X is EmailAddress, U use_email X')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	678	msg = ['Preexisting email readable by anon found!']
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	679	tmpl = ' - "%s" used by user "%s"'
10609 e2d8e81bfe68 [py3k] import range using six.moves Rémi Cardona <remi.cardona@logilab.fr> parents: 10600 diff changeset	680	for i in range(len(rset)):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	681	email, user = rset.get_entity(i, 0), rset.get_entity(i, 1)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	682	msg.append(tmpl % (email.dc_title(), user.dc_title()))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	683	raise RuntimeError('\n'.join(msg))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	684	# actual test
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	685	cnx.execute('INSERT EmailAddress X: X address "hop"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	686	cnx.execute('INSERT EmailAddress X: X address "anon", '
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	687	'U use_email X WHERE U login "anon"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	688	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	689	self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 2)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	690	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	691	self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 1)
8161 6f4229eb8178 [test] fix test broken by 8158:2ee254e74382 and add a test for that change Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8075 diff changeset	692
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	693	if __name__ == '__main__':
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	694	unittest_main()

author	Sylvain Thénault <sylvain.thenault@logilab.fr>
	Mon, 06 Jun 2016 15:26:49 +0200
changeset 11699	b48020a80dc3
parent 11348	70337ad23145
child 12027	c62c80f20a82
permissions	-rw-r--r--